b'Audit Report\n\n\n\n\nOIG-11-068\nBILL MANUFACTURING: Improved Security Over the NexGen\n$100 Notes Is Necessary\nMay 13, 2011\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\n\nAudit Report................................................................................................. 1\n\n    Findings and Recommendations .................................................................... 3\n\n        Inadequate Security Over NexGen $100 Finished Notes and\n           WIP Sheets at ECF ............................................................................. 3\n\n        Inadequate and Inconsistent Retention Requirements for Security\n           Video and Digital Recordings ............................................................... 5\n\n        Lack of Updated OPSEC Plans to Address Current Issues\n           With the NexGen $100 Products at ECF ............................................... 5\n\n        Recommendations................................................................................... 6\n\n\nAppendices\n\nAppendix 1: Management Response................................................................... 10\nAppendix 2: Major Contributors to This Report .................................................... 13\nAppendix 3: Report Distribution ......................................................................... 14\n\n\nAbbreviations\n\nBEP                     Bureau of Engraving and Printing\nECF                     Eastern Currency Facility\nFRB                     Board of Governors of the Federal Reserve System\nJAMES                   Department of the Treasury Joint Audit Management Enterprise\n                            System\nOIG                     Office of Inspector General\nOPSEC                   Operational Security\nWCF                     Western Currency Facility\nWIP                     work-in-process\n\n\n\n\n                        Improved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)           Page i\n\x0c         This Page Intentionally Left Blank\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page ii\n\x0c                                                                                         Audit\nOIG\nThe Department of the Treasury\n                                                                                         Report\nOffice of Inspector General\n\n\n\n\n                        May 13, 2011\n\n                        Larry Felix\n                        Director\n                        Bureau of Engraving and Printing\n\n                        As part of our on-going audit of the Bureau of Engraving and\n                        Printing\xe2\x80\x99s (BEP) production process for the NexGen $100 notes,\n                        the purpose of this report is to convey our observations regarding\n                        physical security over the NexGen $100 notes. In brief, we noted\n                        deficiencies related to the physical security over the NexGen $100\n                        finished notes and work-in-process (WIP) sheets 1 at both BEP\xe2\x80\x99s\n                        Eastern Currency Facility (ECF) in Washington, D.C., and Western\n                        Currency Facility (WCF) in Fort Worth, Texas. We found\n                        (1) inadequate security over finished notes and WIP sheets at ECF,\n                        (2) inadequate and inconsistent retention requirements for security\n                        video and digital recordings at both ECF and WCF, and (3) lack of\n                        updated Operational Security (OPSEC) plans to address security\n                        matters over NexGen $100 finished notes and WIP sheets at ECF.\n                        While our audit of BEP\xe2\x80\x99s production of the NexGen $100 notes is\n                        on-going, we consider these matters serious enough to warrant\n                        immediate corrective action by BEP. Accordingly, we are making\n                        three recommendations in this report to improve BEP facilities\xe2\x80\x99\n                        security over NexGen $100 finished notes and WIP sheets.\n\n                        In a written response, BEP management provided their corrective\n                        actions taken or planned to implement the recommendations. We\n                        believe these actions are responsive to the intent of our\n                        recommendations and we verified the corrective actions that have\n                        been implemented as of the date of this report. The management\n                        response is included as appendix 1.\n\n\n1\n  NexGen $100 notes are produced using currency paper sheets that allow for 32 \xe2\x80\x9csubjects\xe2\x80\x9d per sheet\nin the initial stages of production. In the final stages of production, the 32-subject sheets are cut into\n16-subject sheets, printed with seals and serial numbers, and then cut into finished note form. This\nreport uses the term \xe2\x80\x9csheets\xe2\x80\x9d when referring to WIP and \xe2\x80\x9cnotes\xe2\x80\x9d when referring to finished NexGen\n$100s.\n\n\n                        Improved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)       Page 1\n\x0cThe Treasury Office of Inspector General\xe2\x80\x99s Office of Audit and\nOffice of Investigations are jointly performing this audit to address\nsignificant problems encountered by BEP in the production of the\nNexGen $100s and in response to a request from the Department\nof the Treasury Assistant Secretary for Management, Chief\nFinancial Officer, and Chief Performance Officer. The objectives of\nour audit are to assess (1) the planning and implementation of the\nproduction process and the events that led to the problems in the\nproduction process; (2) the physical security over the notes that\nhave been produced; (3) BEP\xe2\x80\x99s plans for the disposition of those\nnotes; and (4) BEP\xe2\x80\x99s actions, taken and planned, to address the\nproduction problems. We began our audit in December 2010. As\npart of our audit which is the basis for this report, we (1) observed\nsecurity practices in place at the ECF and WCF production\nfacilities; (2) interviewed key BEP personnel involved with the\nproduction and security of the NexGen $100 product; and\n(3) examined policies, procedures, and other documentation\nrelating to physical security of the NexGen $100 product.\n\nWe conducted our work in connection with this interim report in\naccordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions in this interim\nreport.\n\nWe plan to report on the other stated audit objectives going\nforward. As part of that work, we also plan to continue to monitor\nthe physical security over the NexGen $100s.\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 2\n\x0cFindings and Recommendations\n\n            Inadequate Security Over NexGen $100 Finished Notes\n            and WIP Sheets at ECF\n\n            Security Weakness Over Finished Notes\n\n            According to BEP written policy, finished notes remaining in a\n            production area should be kept to the absolute minimum necessary\n            to continue operations. If finished notes are stored in a production\n            area, the notes should be stored in a security cage under lock and\n            seal and should be moved as soon as possible. We observed that\n            ECF stored approximately 54.4 million finished NexGen $100 notes\n            in a production area. The notes were wrapped in protective plastic,\n            but were not stored in a locked security cage. As of January 2011,\n            some notes had been stored in the area for over 9 months.\n            Normally, finished note products are moved to a secure, limited-\n            access vault shortly after production.\n\n            BEP officials told us that the finished notes were stored in this\n            production area due to limited available storage capacity and BEP\xe2\x80\x99s\n            opinion that existing security measures and controls in place were\n            adequate. While we acknowledge that BEP has certain security\n            measures and controls in place for all of its production and storage\n            areas, we believe the unique circumstance created by the\n            production problems and resulting long-term storage requirements\n            of the NexGen $100s warrants special consideration. Storing\n            finished notes in a production area for an extended period of time\n            is in violation of BEP policy and no waiver for this action was\n            documented. Additionally, we believe the finished NexGen $100\n            notes stored in the production area are at increased risk of theft\n            and loss when compared to other finished notes stored in a secure,\n            limited-access vault because approximately 225 employees have\n            access to this production area compared to 21 employees who\n            have access to the vault.\n\n            Another matter of concern is that this particular production area\n            does not fully meet the criteria established by BEP for a secured\n            production area because the 26 windows in the area lack\n            protective security features. BEP security officials told us they did\n\n\n            Improved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 3\n\x0c                      not request a waiver for this policy exception because of other\n                      security measures in place. For example, the 26 windows that lack\n                      protective features are on the third floor and there have been no\n                      security incidents that have occurred in the past related to these\n                      windows. Nevertheless, we believe this is a matter that requires\n                      management attention, and the rationale for any noncompliance\n                      with existing security requirements should be clearly articulated\n                      and documented.\n\n                      Security Weakness Over WIP Sheets\n\n                      According to BEP policy, production areas are not to be used for\n                      the long-term storage of WIP. At ECF, we observed approximately\n                      4 million NexGen $100 WIP sheets 2 stored in a production area\n                      rather than in a more secure, limited-access storage area. As of\n                      January 2011, some of the WIP sheets had been stored in the\n                      production area for about 4 months. Storing WIP sheets in a\n                      production area for an extended period of time is in violation of BEP\n                      policy and no waiver for this action was documented.\n\n                      BEP officials told us that they did not move the sheets because\n                      they felt that the security measures and controls in place were\n                      adequate. While we acknowledge that BEP does have a level of\n                      security measures and controls in place for all of its production and\n                      storage areas, we believe the unique circumstance created by the\n                      production problems and resulting long-term storage requirements\n                      of the NexGen $100 WIP sheets warrants special consideration. In\n                      this regard, approximately 460 employees currently have legitimate\n                      and routine access to the product on a daily basis. Additionally, the\n                      WIP sheets are at increased risk of undetected theft and loss\n                      because not all regular production process reconciliations are being\n                      performed.\n\n\n\n\n2\n The approximately 4 million WIP sheets equal about 127 million notes when finished. In the production\narea in question, the sheets do not yet include seals and serial numbers and are still in uncut form.\n\n\n\n                      Improved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)    Page 4\n\x0cInadequate and Inconsistent Retention Requirements for\nSecurity Video and Digital Recordings\n\nThe length of time BEP currently retains security video tapes and\ndigital recordings is not adequate given the potential long-term\nstorage of the NexGen$100 products. BEP\xe2\x80\x99s written policy requires\nretention of recordings for 7 years. Despite this policy, BEP officials\ntold us that WCF currently retains recordings for 1 year for WIP\nand 3 years for finished goods, and ECF retains all recordings for\n3 years. Current retention practices (1) do not comply with\nestablished policies, (2) are inconsistent between the two\nproduction facilities, and (3) are based on assumptions that\nproducts are moving through a normal production cycle and\npromptly delivered to the Federal Reserve System. At this time, the\nFederal Reserve System has not accepted delivery of the NexGen\n$100 finished notes and the estimated storage timeframe is\nunknown.\n\nLack of Updated OPSEC Plans to Address Current Issues\nWith the NexGen $100 Products at ECF\n\nBEP policy requires written OPSEC plans be established for\nsensitive and security areas that document security controls and\nphysical security measures to protect bureau resources and\nproducts. Additionally, these OPSEC plans are to be reviewed\nannually and re-certified by security and operational managers and\nupdated as needed to address security concerns.\n\nBEP security officials stated that OPSEC plans for the ECF\nproduction areas containing the stored NexGen $100s discussed\nabove are not current and have not been re-certified on an annual\nbasis. Additionally, no changes have been made to the plans to\naddress specific concerns regarding the production problems and\nlong-term storage of the NexGen $100s. Until such time as BEP\nand the Federal Reserve System determine the disposition of the\nnotes, BEP faces a number of unknowns in terms of storage\ntimeframes and available storage capacity.\n\nAccording to BEP security officials, the reason the OPSEC plans\nwere not current is because of policy revisions. Among other\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 5\n\x0cthings, security personnel stated they are implementing a new\nquantitative risk assessment methodology including surveys and\nvulnerability assessments for each area. Once an area is evaluated,\na written security plan will be completed and a specific Area\nSecurity Plan will be developed and posted in the operational area.\nBEP security officials also stated that as a result of our review, ECF\nelevated the storage issue related to the NexGen $100s to the top\nof its list of areas to be evaluated.\n\nRecommendations\n\nWe recommend that the Director of BEP do the following:\n\n1. Safeguard all NexGen $100 finished notes and WIP sheets at\n   ECF in secured nonproduction areas that have limited and\n   controlled access. To the extent practicable, the finished notes\n   and WIP sheets should be stored in one location.\n\n   Management Response\n\n   To provide additional security, BEP (1) relocated finished notes\n   into a Category I vault, (2) moved WIP sheets (except the\n   amount staged for normal production purposes) into Category I\n   and III vaults, and (3) documented decisions made throughout\n   the unfolding of this matter in a security plan covering\n   processing of NexGen $100 work. BEP stated that at this time,\n   it is not practicable for all NexGen $100 sheets and finished\n   notes to be stored in one location. However, appropriate offices\n   are evaluating vault space options and updating BEP\xe2\x80\x99s 2008\n   vault study, which may provide options to increase vault space.\n\n   BEP also emphasized that while it had taken these steps to\n   further enhance security over NexGen $100 work in response to\n   the audit recommendation, it is BEP\xe2\x80\x99s position that NexGen\n   $100 finished notes and WIP sheets within BEP facilities were\n   secure, even for the longer duration that NexGen product\n   remained in production areas while production decisions were\n   pending. BEP states the decision to store the finished notes in a\n   production area was made after careful consideration and was\n   based on multiple compensating controls in place, such as\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 6\n\x0c   cameras, access control systems, locking mechanisms, etc.\n   BEP officials stated that the area is not readily accessible to\n   external intruders due to its location. Persons allowed in this\n   production area must clear through a stringent suitability\n   determination and background investigation with some of the\n   highest standards in the federal government. BEP restricts\n   access to the area to those cleared individuals with direct work\n   responsibilities in the area. Finally, BEP officials stated that\n   finished notes stored in the production area were stringently\n   protected and inventoried on a periodic basis by production and\n   compliance personnel.\n\n   OIG Comment\n\n   The actions taken by BEP are responsive to the intent of the\n   recommendation and we verified that the finished notes and\n   WIP sheets have been moved to secured vaults and storage\n   areas.\n\n2. Evaluate the policy and practices to retain video and digital\n   recordings at ECF and WCF in light of the potentially long-term\n   storage needs of the NexGen $100 finished notes and WIP\n   sheets.\n\n   Management Response\n\n   BEP will retain already recorded NexGen video footage until the\n   work is accepted by the FRB, destroyed, or another decision is\n   made by the BEP Director. In addition, BEP is evaluating\n   retention options with its new digital video storage system.\n\n   OIG Comment\n\n   BEP\xe2\x80\x99s planned actions generally meet the intent of the\n   recommendation. However, BEP will need to establish an\n   estimated date for completing its planned actions and record\n   that date in the Department of the Treasury\xe2\x80\x99s Joint Audit\n   Management Enterprise System (JAMES). In addition, BEP\n   should formalize changes in retention dates as policy.\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 7\n\x0c3. Ensure that written security risk assessments and area security\n   plans at ECF are updated and regularly re-certified in accordance\n   with BEP policy. In addition, the plans should appropriately\n   address security over NexGen $100 finished notes and WIP\n   sheets.\n\n   Management Response\n\n   BEP has been working to establish a security risk assessment\n   program and expects the formal policy to be signed shortly. As\n   part of BEP\xe2\x80\x99s risk analysis methodology, comprehensive security\n   vulnerability assessments (security surveys) are conducted and\n   security measures for a given section are derived based on the\n   risk designation of the asset(s) it contains. These assessments\n   replace OPSEC plans required under current policy. During fiscal\n   year 2010, BEP completed numerous security surveys at ECF.\n   During fiscal year 2011, BEP will conduct additional\n   assessments, which cover the remaining areas requiring study.\n   Once completed, the equivalent of the previous OPSEC Plan will\n   be on file for every section and any changes required to Area\n   Security Plans will be made and refresher training provided to\n   affected BEP personnel. Areas containing the NexGen $100s\n   have been moved to the top of the risk assessment schedule.\n\n   OIG Comment\n\n   BEP\xe2\x80\x99s planned actions meet the intent of the recommendation.\n   We also found that in May 2011, BEP issued policies for\n   security risk assessments and area security plans that replace\n   the previous OPSEC plan requirements. That said, we consider\n   this recommendation to be open until BEP completes its security\n   risk assessments and area security plans for areas containing\n   the NexGen $100s. BEP will need to establish an estimated\n   date for completing these actions and record that date in\n   JAMES.\n\n                                ******\n\n   We appreciate the courtesies and cooperation extended by your\n   staff as we inquired about these matters. Major contributors to\n   this report are listed in appendix 2. A distribution list for this\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 8\n\x0c   memorandum is provided as appendix 3. If you wish to discuss\n   this report, you may contact me at (202) 927-5904.\n\n      /s/\n   Kieu T. Rubb\n   Director, Procurement and Manufacturing Audits\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 9\n\x0cAppendix 1\nManagement Response\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 10\n\x0cAppendix 1\nManagement Response\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 11\n\x0cAppendix 1\nManagement Response\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 12\n\x0cAppendix 2\nMajor Contributors to This Report\n\n\n\n\nOffice of Audit\n\nDeborah L. Harker, Audit Manager\nGregory J. Sullivan, Jr., Auditor-in-Charge\nElisa J. Pegher, Program Analyst\nTheresa A. Cameron, Referencer\n\nOffice of Investigations\n\nSonja L. Scott, Special Agent\nJerome S. Marshall, Special Agent\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 13\n\x0cAppendix 3\nReport Distribution\n\n\n\n\nThe Department of the Treasury\n\nDeputy Secretary\nTreasurer of the United States\nAssistant Secretary for Management, Chief Financial\n   Officer, and Chief Performance Officer\nDirector, Office of Strategic Planning and Performance\n   Management\nDirector, Office of Accounting and Internal Control\n\nBureau of Engraving and Printing\n\nDirector\nAssociate Director (Chief Financial Officer)\nAudit Liaison\n\nOffice of Management and Budget\n\nOIG Budget Examiner\n\n\n\n\nImproved Security Over the NexGen $100 Notes is Necessary (OIG-11-068)   Page 14\n\x0c'